From 92c0543614fb92cf8217d8cc24a367296f3ade37 Mon Sep 17 00:00:00 2001 From: Lauri Ojansivu Date: Tue, 12 Aug 2025 14:33:55 +0300 Subject: [PATCH] Added docs for Windows SSL/TLS. Thanks to xet7 ! Related #5866 --- docs/Platforms/Propietary/Windows/Offline.md | 282 +++++++++++++++++++ 1 file changed, 282 insertions(+) diff --git a/docs/Platforms/Propietary/Windows/Offline.md b/docs/Platforms/Propietary/Windows/Offline.md index f23ab6f2f..d191fbd40 100644 --- a/docs/Platforms/Propietary/Windows/Offline.md +++ b/docs/Platforms/Propietary/Windows/Offline.md @@ -57,6 +57,288 @@ RELATED INFO: - Windows 2022 server example https://github.com/wekan/wekan/issues/5084 - Other settings example https://github.com/wekan/wekan/issues/4932 +## SSL/TLS at internal network, that is not connected to Internet, and can not used from Internet + +Configuring Caddy for SSL/TLS on a local LAN without an internet connection requires you to **manually create and manage certificates**, as Caddy's automatic certificate provisioning relies on external services like Let's Encrypt, which need internet access. Here's a breakdown of the process: + +#### Generate Certificates ๐Ÿ”‘ + +First, you'll need to generate a self-signed certificate authority (CA) and then use it to sign a certificate for your local domain. You can use tools like **OpenSSL** or **Caddy's own `cert` command**. + +1. **Create a Root CA:** + `openssl genrsa -out rootCA.key 2048` + `openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 365 -out rootCA.pem` + +2. **Create a Server Certificate:** + + * Create a configuration file (`server.csr.cnf`) for your server certificate. + * `openssl req -new -nodes -newkey rsa:2048 -keyout server.key -out server.csr -config server.csr.cnf` + * `openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile server.csr.cnf -extensions req_ext` + +This process creates `server.crt` and `server.key`โ€”the files Caddy will use. + +#### Configure Caddyfile ๐Ÿ“œ + +Next, you need to tell Caddy to use these specific certificates instead of trying to get them automatically. +Modify your `Caddyfile` to use the `tls` directive with the paths to your generated files. + +Caddyfile: +``` +wekan.example.com { + tls { + load C:\wekan\certs\example.com.pem + alpn http/1.1 + } + proxy / localhost:2000 { + websocket + transparent + } +} +``` + + * **`your_local_domain.lan`** is the hostname you'll use to access the site from other computers on your network. + * **`tls C:\path\to\server.crt C:\path\to\server.key`** is the key part. It explicitly tells Caddy to use these certificate and key files. + +#### Trust the Certificate ๐Ÿ”’ + +Finally, for browsers and other clients on your network to trust the connection and not show a security warning, you must **install the root CA certificate (`rootCA.pem`) on each client machine**. + +1. On each client, navigate to the certificate management store (e.g., in Windows, search for "Manage computer certificates"). +2. Import the `rootCA.pem` file into the "Trusted Root Certification Authorities" store. + +This tells the client that any certificate signed by this CA (like your `server.crt`) is trustworthy. Without this step, every client will display a **security warning** because the certificate isn't from a publicly trusted authority. + +#### Add wekan.example.com to every computer hosts file + +As Administrator, edit with Notepad, changing dropdown *.txt to All Files, C:\Windows\System32\drivers\etc\hosts textfile. + +To hosts file, add WeKan server local IP address: + +``` +192.168.0.200 wekan.example.com +``` + +Alternatively, use some nameserver at Windows server to have domain names at local network. + +#### Other remaining settings for local network SSL/TLS, not connected to Internet + +Look at similar settings below. + +## SSL/TLS with Caddy webserver, accessible at Internet + +This will start Caddy, like this: + +``` +example.com CloudFlare SSL/TLS Origin Certificate HTTP 443 +=> Public IPv4 Cable modem HTTPS port 443 +=> Local IPv4 HTTPS port 443 Caddy +=> Local IPv4 HTTP port 2000 Node.js main.js WeKan +=> MongoDB port 27017 +``` + +From CloudFlare to Caddy, all is SSL/TLS encrypted. +Caddy proxies all encrypted traffic to Node.js unencrypted HTTP port 2000. + +At WeKan server laptop/desktop, locally between these executeable files, +HTTP traffic is not encrypted: + +- Between Caddy and WeKan +- Between WeKan and MongoDB + +But outside of that server, all is SSL/TLS encrypted. + +### 1) Check your WeKan server Windows computer local IPv4 address + +You can check your IP address on Windows 11 using either the **Settings app** or the **Command Prompt**. +These methods will show you your **local IP address**, which is the address your device uses to +communicate within your home or office network. + +Your **public IP address**, which is what devices outside your network see, is assigned by your +internet service provider (ISP) and can be found using an online tool or a simple web search. + +#### Method 1: Using the Settings App โš™๏ธ + +1. Open the **Start menu** and click on **Settings** (or press the **Windows key + I**). +2. In the left-hand menu, click on **Network & internet**. +3. Click on the connection you're currently using, either **Wi-Fi** or **Ethernet**. +4. On the next screen, your IP address (both IPv4 and IPv6) will be listed under the **Properties** section. + +#### Method 2: Using the Command Prompt ๐Ÿ’ป + +1. Click the **Start menu** or the **search icon** on your taskbar, type "**cmd**," and press **Enter**. +2. In the Command Prompt window, type `ipconfig` and press **Enter**. +3. Look for your active connection (e.g., "Ethernet adapter" or "Wireless LAN adapter Wi-Fi"). + Your IP address will be listed next to "**IPv4 Address**." + +### 2) Finding Your Public IP Address ๐ŸŒ + +a) At Arris Cable Modem, public IP address is at Login / WAN Setup / DHCP / IP Address + +b) To find your public IP address, simply open a web browser and search for "**what is my IP**." + A search engine like Google will display your public IP address right at the top of the search results. + +### 3) If you don't have domain name like example.com + +1. Register and login to https://cloudflare.com + +2. Buy a domain, like example.com + +### 4) Add settings at CloudFlare + +1. CloudFlare / Account Home / AI Audit: Block all AI crawlers, so that they do not slow down your websites and WeKan. + But if you need Google Search to see your website like example.com, allow Googlebot. + +2. CloudFlare / Account Home / example.com / DNS / Records / Add Record + +``` +Type: A +Name: wekan (for wekan.example.com, or kanban for kanban.example.com) +IPv4 Address: YOUR-PUBLIC-IPv4-ADDRESS (example: 80.123.123.123) +- Proxy Status: Orange cloud selected (not grey cloud) +- TTL: Auto +``` +3. Click Save + +4. CloudFlare / Account Home / example.com / Origin Server / Create Cerfificate for example.com + +5. At Notepad, copy paste SSL/TLS certs in this order from top to bottom to one textfile `example.com.pem`: + +``` +1. Private Cert +2. Public Cert +3. Certificate Chain +``` + +6. Have for example this directory structure (can also be D: or E: etc) + +``` +C:. +โ”œโ”€โ”€โ”€wekan directory +โ”‚ โ”œโ”€โ”€โ”€files directory +โ”‚ โ”œโ”€โ”€โ”€certs directory +โ”‚ โ”‚ โ””โ”€โ”€โ”€example.com.pem +โ”‚ โ”œโ”€โ”€โ”€bundle directory +โ”‚ โ”‚ โ””โ”€โ”€โ”€main.js +โ”‚ โ”œโ”€โ”€โ”€caddy.exe from .zip file +โ”‚ โ”œโ”€โ”€โ”€Caddyfile textfile for Caddy 2 config +โ”‚ โ””โ”€โ”€โ”€start-wekan.bat textfile +โ”‚ +โ””โ”€โ”€โ”€Program Files +``` + +7. Edit `start-wekan.bat` with Notepad, search and change these settings, change subdomain wekan.example.com + and node saving cmd.exe text outout to log.txt for logging: + +``` +SET WRITABLE_PATH=..\FILES + +SET ROOT_URL=https://wekan.example.com + +SET PORT=2000 + +node main.js > log.txt 2>&1 +``` +If you have problems with attachments, instead try: +``` +SET WRITABLE_PATH=..\FILES\ +``` + +8. Download newest Caddy webserver caddy_VERSION-NUMBER_windows_amd64.zip from +https://github.com/caddyserver/caddy/releases , +extract .zip file, and copy caddy.exe to above directory structure. + +- Caddy website https://caddyserver.com +- Caddy features https://caddyserver.com/features +- Caddy code https://github.com/caddyserver/caddy +- Caddy forum https://caddy.community/ + +9. To Caddyfile, with Notepad add this: + +``` +wekan.example.com { + tls { + load C:\wekan\certs\example.com.pem + alpn http/1.1 + } + proxy / localhost:2000 { + websocket + transparent + } +} +``` +10. Open `cmd.exe` terminal, write there: + +``` +C: + +cd \wekan + +wekan.bat +``` + +11. Open another `cmd.exe` terminal, write there: + +``` +C: + +cd \wekan + +caddy fmt --overwrite Caddyfile + +caddy validate +``` +If there is errors, ask Google Search about that error, edit Caddyfile with Notepad to fix it. + +If there is not any errors, start Caddy: +``` +caddy +``` +This will start Caddy, like this: + +example.com CloudFlare SSL/TLS Origin Certificate HTTP 443 +=> Public IPv4 Cable modem HTTPS port 443 +=> Local IPv4 HTTPS port 443 Caddy +=> Local IPv4 HTTP port 2000 Node.js main.js WeKan +=> MongoDB port 27017 + +From CloudFlare to Caddy, all is SSL/TLS encrypted. +Caddy proxies all encrypted traffic to Node.js unencrypted HTTP port 2000. + +At WeKan server laptop/desktop, locally between these executeable files, +HTTP traffic is not encrypted: +- Between Caddy and WeKan +- Between WeKan and MongoDB + +But outside of that server, all is SSL/TLS encrypted. + +#### 1) At your Internet router, forward ports HTTP 80 and HTTPS 443 to your server laptop/desktop IP address. Example: + +Arris cable modem: + +1. Login +2. Firewall / Virtual Server Port Forwarding +3. Add HTTP 80 and HTTPS 443: + +HTTP 80: +``` +Description: HTTP +Inbound Port: 80 to 80 +Format: TCP +Private IP Address: YOUR-WEKAN-SERVER-LOCAL-IPv4-ADDRESS (example: 192.168.0.200) +Local Port: 80 to 80 +``` + +HTTPS 443: +``` +Description: HTTP +Inbound Port: 443 to 443 +Format: TCP +Private IP Address: YOUR-WEKAN-SERVER-LOCAL-IPv4-ADDRESS (example: 192.168.0.200) +Local Port: 443 to 443 +``` + + + ## Docker WeKan Offline